[ipv6hackers] Status on NDP Exhaustion Attacks?

Owen DeLong owend at he.net
Wed Sep 28 07:40:31 CEST 2011

On Sep 27, 2011, at 4:59 PM, Jim Small wrote:

> Are there any new defenses for NDP Exhaustion attacks:
> http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
> I have heard that Cisco has implemented some protection against this but I haven't uncovered any specifics just yet.
> The author's recommendation was to use smaller subnets that /64s.  My experience from teaching networking is that VLSM/Subnetting adds complexity and that if all host/server networks in IPv6 could be /64s it would make networking easier.
> Is there a good solution to this problem besides smaller subnets?
>  --Jim

The primary solution is that while ND exhaustion attacks are a reality, remote ND exhaustion attacks can be mitigated with reasonable firewall rules in most cases. Unless you are a university, it's rare that you really need to defend against an internal DOS attack that doesn't yield anything other than DOS.


More information about the Ipv6hackers mailing list